chiark / gitweb /
~mdw / preload-hacks / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
noip.1: Associate connection-to-remote-host aside with `realconnect'.
[preload-hacks] / noip.1
... / ...
CommitLineData
1.de VS
2.sp 1
3.RS
4.nf
5.ft B
6..
7.de VE
8.ft R
9.fi
10.RE
11.sp 1
12..
13.TH noip 1 "5 May 2005" "Straylight/Edgeware" "Preload hacks"
14.SH NAME
15noip \- run programs without the ability to use IP sockets
16.SH SYNOPSIS
17.B noip
18.RI [ command
19.RI [ args ...]]
20.SH DESCRIPTION
21The
22.B noip
23program runs
24.I command
25(by default, the user's shell, as determined by the
26.B SHELL
27environment variable) in an environment where attempts to use TCP/IP
28networking are (mostly) transparently translated into the use of
29Unix-domain sockets in a private directory.
30.PP
31There are many programs which use TCP/IP for their own internal
32communications needs, largely unnecessarily. This can present security
33problems: even if a program binds its listening sockets to
34.BR localhost ,
35other users on the same system can still connect, and many such programs
36don't seem to have authentication systems.
37.PP
38.B noip
39addresses this problem by intercepting a program's networking calls and
40making it use Unix-domain sockets in a private directory instead of
41TCP/IP. Now its communications are truly private to the running user.
42.SS The socket directory
43The
44.B noip
45program keeps its sockets in a directory whose name can be configured,
46but by default is
47.BI noip- \c
48.IR username ,
49where
50.I username
51is determined by the
52.B USER
53or
54.B LOGNAME
55environment variables, or is
56.BI uid- \c
57.IR realuid
58in the temporary directory, which in turn is determined by the
59.B TMPDIR
60or
61.B TMP
62environment variables, or is
63.BR /tmp .
64The sockets in this directory are simply named
65.IB dottedquad : port
66after the Internet sockets they represent.
67.PP
68If the socket directory does not exist when a program running under
69.B noip
70starts up, it is created and made readable and writable only by the
71current user. Also, it is scanned and any apparently stale sockets are
72removed.
73.SS Configuration
74The operation of
75.B noip
76is controlled by a configuration file. By default,
77.B noip
78reads configuration from
79.B .noip
80in the calling user's home directory, as determined by the
81.B HOME
82environment, or, failing that, looking up the effective user id in the
83password database. However, if the environment variable
84.B NOIP_CONFIG
85is set, then the file it names is read instead (assuming it exists; if
86it doesn't, no configuration is read).
87.PP
88The configuration file has a simple line-based format. A line is
89ignored if it consists only of whitespace, or if its first
90non-whitespace character is
91.RB ` # '.
92Otherwise, the first whitespace-delimited word is a keyword and the
93remainder of the line is a value. The following keywords are
94recognized.
95.TP
96.BR "debug " [\fInumber\fR]
97If
98.I number
99is nonzero, turn debugging on; if it is zero, turn debugging off. The
100default, if no
101.I number
102is given, is to turn debugging on. Debugging is written to standard
103error. Some debugging is produced before the configuration file is
104read; the environment variable
105.B NOIP_DEBUG
106can be used to control this.
107.TP
108.BI "socketdir " directory
109Store the Unix-domain sockets in
110.IR directory
111rather than the default. The environment variable
112.B NOIP_SOCKETDIR
113can also be used to control which directory is used for sockets.
114.TP
115.BI "autoports " min "\-" max
116Select which ports are used for implicit binding. Allocating ports can
117be a bit slow, since checking whether a Unix domain socket is in use is
118difficult. A wide range makes things easier, because
119.B noip
120starts by trying ports at random from the given range. The environment
121variable
122.B NOIP_AUTOPORTS
123can also be used to control which ports are assigned automatically.
124.TP
125.BI "realbind " acl-entry
126Add an entry to the
127.B realbind
128access control list (ACL). When a program attempts to
129.BR bind (2)
130a socket to an address, the
131.B realbind
132ACL is consulted. If the address is matched, then the program is
133allowed to bind a real Internet socket to that address; otherwise, the
134socket is bound to a Unix-domain socket. Three environment variables
135are consulted too:
136.BR NOIP_REALBIND_BEFORE ,
137.BR NOIP_REALBIND ,
138and
139.BR NOIP_REALBIND_AFTER .
140The
141.B _BEFORE
142rules are inserted at the front of the list; the
143.B _AFTER
144rules are appended on the end. Currently, the rules in
145.B NOIP_REALBIND
146are also put at the end (before the
147.B _AFTER
148rules), though this may change later.
149.TP
150.BI "realconnect " acl-entry
151Add an entry to the
152.B realconnect
153access control list (ACL). When a program attempts to
154.BR connect (2)
155a socket to an address, or to contact another socket using
156.BR sendto (2)
157or
158.BR sendmsg (2),
159the
160.B realconnect
161ACL is consulted. If the destination address is matched, then the
162program is allowed to contact the real Internet socket; otherwise, the
163attempt is made to contact a Unix-domain socket. Three environment variables
164are consulted too:
165.BR NOIP_REALCONNET_BEFORE ,
166.BR NOIP_REALCONNECT ,
167and
168.BR NOIP_REALCONNECT_AFTER .
169The
170.B _BEFORE
171rules are inserted at the front of the list; the
172.B _AFTER
173rules are appended on the end. Currently, the rules in
174.B NOIP_REALCONNECT
175are also put at the end (before the
176.B _AFTER
177rules), though this may change later.
178.IP
179(Aside: An attempt to connect to a remote host may not be a hopeless failure,
180even if a real IP socket is denied:
181.B noip
182deliberately makes no attempt to check that addresses being bound to
183sockets correspond to locally available addresses; and besides, sockets
184can be introduced into the directory by other programs simulating remote
185servers.)
186.TP
187.BI "impbind " bind-rule
188Add an entry to the implicit-bind rule list. When a program attempts to
189.BR connect (2)
190a socket without binding its local address first,
191.B noip
192consults this list to decide on the correct local address to assign.
193Each entry in the list has the form
194.RS
195.IP
196.I address-range
197.IR address | \c
198.B same
199.PP
200The rules are tried in order: if the remote address matches (in the same
201way as in an ACL entry) the address range on the left side of the rule,
202then the socket is bound to the address from the right side; if the
203address on the right is
204.B same
205then the remote address is used.
206.PP
207Three environment variables
208are consulted too:
209.BR NOIP_IMPBIND_BEFORE ,
210.BR NOIP_IMPBIND ,
211and
212.BR NOIP_IMPBIND_AFTER .
213The
214.B _BEFORE
215rules are inserted at the front of the list; the
216.B _AFTER
217rules are appended on the end. Currently, the rules in
218.B NOIP_IMPBIND
219are also put at the end (before the
220.B _AFTER
221rules), though this may change later.
222.RE
223.PP
224An
225.I acl-entry
226is a comma-separated list of entries of the form:
227.IP
228.BR + | \-
229.I address-range
230.RB [ : \c
231.IR port-range ]
232.PP
233(The spaces in the above are optional.)
234.PP
235The leading sign says whether matching addresses should be
236.I accepted
237.RB (` + ')
238or
239.I denied
240.RB (` \- ').
241.PP
242The
243.I address-range
244portion may be any of the following.
245.TP
246.B any
247Matches all addresses.
248.TP
249.B local
250Matches the address of one of the machine's network interfaces.
251.TP
252.I address
253Matches just the given IPv4 or IPv6 address. An
254.I address
255may be enclosed in square brackets; IPv6 addresses must be so enclosed,
256because colons are significant in the rest of the ACL syntax.
257.TP
258.IB address \- address
259Matches any address which falls in the given range. Addresses are
260compared lexicographically, with octets to the left given precedence
261over octets to the right.
262.TP
263.IB address / prefix-length
264Matches an address in the given network.
265.PP
266The
267.I port-range
268may be omitted (which means `match any port'), or may be a single
269.I port
270or a range
271.IB port \- port
272to match.
273.PP
274Range comparisons are always inclusive of both endpoints.
275.PP
276ACL entries are processed in the order they appear in the configuration
277file. The default action of an ACL, used if none of its entries match,
278is the opposite of the last actual entry in the list: if the last entry
279says `accept', then the default is to deny, and vice-versa. If the ACL
280is empty, the default is to deny all addresses.
281.PP
282For example, it may be useful to allow access at least to a DNS server.
283This can be accomplished by adding a line
284.VS
285realconnect +1.2.3.4:53
286.VE
287to the configuration file, where 1.2.3.4 is the IP address of one of
288your DNS server.
289.SS Example applications
290SLIME is an Emacs extension for doing interactive programming with Lisp
291systems. It communicates with the Lisp system using TCP sockets, since
292Unix-domain sockets are unavailable on Windows, and besides, they are
293less well supported by Lisp implementations. Unfortunately, when the
294author wrote this program, SLIME applied no authentication on its TCP
295port, allowing any local user to take over the running Lisp. Worse,
296some Lisps are unable to bind a listening socket to a particular
297address, leaving the socket potentially available to anyone on the
298network. By running Emacs under
299.BR noip ,
300the security hole is closed completely and no messing with
301authentication secrets is needed.
302.PP
303SSH is an excellent tool for secure communications over hostile
304networks. In particular, its ability to forward TCP connections to a
305port on one side of an SSH tunnel to the other side is very useful.
306However, such a forwarded port is available to all users on the source
307side of the tunnel. Using
308.B noip
309and a suitable configuration, a user can restrict access to a forwarded
310port to himself or a small group.
311.SH BUGS
312.B noip
313is implemented as an
314.B LD_PRELOAD
315hack. It won't work on setuid programs. Also, perhaps more
316importantly, it can't do anything to prevent a
317.I malicious
318program's use of networking: a program could theoretically issue sockets
319system calls directly instead of using the C library calls that
320.B noip
321intercepts. It is intended only as a tool for enhancing the security of
322software written by well-meaning programmers who don't understand the
323security aspects of writing networking code.
324.PP
325It's very hard to tell exactly what state a Unix-domain socket is in.
326If the filesystem object isn't there, it's not active, but if it
327.I is
328then the socket might be in use or it might be stale.
329.B noip
330consults
331.B /proc/net/unix
332to decide whether a socket is in use, but this can fail in two ways.
333Firstly, if the socket is created and renamed, the kernel doesn't
334notice, and
335.B noip
336will think that the new name is stale. Secondly, if the socket is
337created, used, unlinked while it's still in use, and recreated, then
338.B noip
339will think that it's in use when in fact it's gone stale. Don't mess
340with
341.BR noip 's
342sockets unless you know what you're doing.
343.PP
344The procedure to replace a Unix-domain socket by an Internet one is
345fairly thorough, but there are some missing cases. In particular, if
346the socket being bound or connected is a duplicate (using
347.BR dup (2))
348then only one of the copies will be fixed. Similarly, copies owned by
349child processes will be unaffected.
350.PP
351This manual is surprisingly long and complicated for such a simple hack.
352.SH AUTHOR
353Mark Wooding, <mdw@distorted.org.uk>
LD_PRELOAD hacks